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(54) Service control network and its control method 



(57) The present Invention relates to an IP network 
including mobile environment and, in particular, to a 
service control network and its control method for pro- 
viding individual service to every user or terminal of an 
IP network. In a service control network including a serv- 
ice control device (3) for performing Layer-7 service 
control for mobile terminals, an authentication server 
device (4) specifies a Layer-7 profile and an associated 
dependent Layer-3 profile of a mobile terminal (1 ) at the 



success of the authentication of the mobile terminal. An 
edge device (5) transfers packets, which have been re- 
ceived from the mobile terminal (1) after the success of 
the authentication of the mobile terminal and match the 
dependent Layer-3 profile, to the service control device 
(3). The service control device controls the Implemen- 
tation of a Layer-7 service for packets which have been 
received from the edge device and match the Layer-7 
profile. 
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Description 

[0001 ] The present Invention relates to an IP network 
Including a mobile environment and, in particular, to a 
service network and a control method for providing In- 
dividual service to every user or terminal of an IPv6 net- 
work. 

[0002] In recent years, various kinds of terminals per- 
forming audio and/or data communication have been 
connected to an IP network Including a mobile environ- 
ment, and service providers have come to provide dif- 
ferent service to every user under contract with each us- 
er. For example, QoS (Quality of Service) for assuring 
predetermined communication quality to every user, 
DiffServ (Differentiated Service) for transferring packets 
for particular users on a priority basis according to pri- 
orities assigned to packets, etc. have been provided. 
[0003] In each case, service control Information for a 
terminal is distributed from a server which controls a pre- 
determined network to an edge node to which the ter- 
minal is connected, and the edge node provides the 
above service, etc., based on the service control Infor- 
mation cached by It. Furthermore, among different net- 
works, service control Information for the terminals con- 
cerned is distributed to edge nodes in the networks 
through gateways or the like, and the edge nodes pro- 
vide the above service, etc., by transferring the neces- 
sary service control information to the communication 
partner. 

[0004] However, the aforementioned QoS, Diff- 
Serve, or the like is a network layer service (called "Lay- 
er-3 service" hereinafter) using IP packets, and an ap- 
plication layer service (called "Layer- 7 service 11 herein- 
after), such as an English-to-Japanese translation serv- 
ice, future demand for which Is expected, can not be pro- 
vided sufficiently through the present networks. 
[0005] Furthermore, the Layer-3 service between dif- 
ferent networks has been possible, but the new Layer- 
7 service has had a problem In that its service area Is 
restricted to a predetermined area. For example, there 
has been a problem that English-to-Japanese transla- 
tion service or the like provided for users of home net- 
works is not provided to users who have moved to an 
external network through which the service is not pro- 
vided. 

[0006] By the way, a protocol for processing content 
called ICAP (Internet Content Adaptation Protocol) has 
been proposed by IETF. When this protocol is used, an 
ICAP server function corresponding to a content 
processing server function can be provided for optional 
devices, and thereby a more flexible content processing 
network can be constructed. 
[0007] However, there has been a problem that as 
ICAP Is a protocol with which an ICAP server and an 
ICAP client communicate, various flexible and efficient 
content processing services as required under the Lay- 
er- 7 service environment cannot be provided using only 
ICAP. For this reason, there also has been a problem 



that service providers cannot get Into the Layer-7 serv- 
ice market. 

[0008] it Is therefore desirable to provide a service 
control network and a control method capable of provid- 
5 Ing Layer-7 service In addition to conventional Layer-3 
service. 

[0009] It is also desirable to provide a service control 
network and a control method for allowing a mobile user 
to obtain Layer-7 service through the network to which 
io the user has moved, as through the home network of 
the user, without considering the network that the user 
Is utilizing. 

[0010] It is also desirable to provide a service control 
network and Its control method for performing various 
flexible and efficient content processing under Layer-7 
service environment and allowing service providers to 
get Into a Layer-7 service market easily. 
[001 1] The present Invention provides a service con- 
trol network comprising an authentication server device 

20 for performing user authentication, an edge device for 
performing Layer-3 service processing for a mobile ter- 
minal managed by that edge device, and a service con- 
trol device for performing Layer-7 service control for that 
mobile terminal, wherein that authentication server de- 

25 vice comprises a means for specifying a Layer-7 profile 
and an associated Layer-3 profileof that mobile terminal 
at the success of the authentication of that mobile ter- 
minal, the edge device comprising a means for transfer- 
ring packets, which have been received from that mobile 

30 terminal after the success of the authentication of that 
mobile terminal and match that Layer-3 profile, to that 
service control device, the service control device com- 
prising a means for controlling the Implementation of 
Layer-7 service concerned for packets which have been 

ss received from that edge device and match that Layer-7 
profile. 

[0012] Three kinds of service control devices, that is, 
tightly edge-coupled service control device, loosely 
edge-coupled service control device, and functlon-de- 

40 pendent service control device are provided, and there- 
by flexible, economical, and different Layer-7 services 
are provided. The aforementioned authentication server 
device is provided with a Layer-7 service managing 
means for managing a Layer-7 profile for every mobile 

43 terminal. 

[0013] Preferred features of the present invention will 
be more clearly understood from the description as set 
forth below with reference to the accompanying draw- 
ings, in which: 

50 

Fig.1 shows a basic configuration of a service con- 
trol network according to the present invention. 
Flg.2 shows basic configurations of the edge devic- 
es shown In Flg.1 . 
55 Fig .3 shows more detail configurations of the serv- 
ice control device and the authentication server de- 
vice shown in Flg.2. 

Flg.4 shows a first embodiment of the present In- 
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ventlon. 

Fig.5 shows an example of an operation sequence 
of the first embodiment 

Flg.S shows an example of a service control device 
management table. 5 
Flg.7 shows an example of a service management 
table. 

Flg.8 shows an example of a service control device 

address management table. 

Fig. 9 shows an example of a profile of a mobile ter- 10 

mlnal. 

Fig. 1 0 shows an example of a configuration of a de- 
pendent Layer-3 profile. 

Fig. 11 shows a specific example of a dependent 
Layer-3 profile. 15 
Flg.12 shows an example of an Independent Layer- 
3 profile of a transmitter. 

Fig.13A shows an example (1) of an independent 

Layer-3 profile of a transmitter. 

Fig.13B shows an example (2) of an Independent 20 

Layer-3 profile of a transmitter. 

Fig. 14 shows a second embodiment of the present 

invention. 

Fig. 15 shows an operation sequence of the second 
embodiment. . & 

Flg.16 shows an example of a Layer-7 profile. 
Fig. 1 7 shows an example of an Independent Layer- 
3 profile of a transmitter. 

Ftg. 18 shows a third embodiment of the present In- 
vention. 50 
Fig.19 shows an operation sequence of the third 
embodiment. 

Fig. 20 shows a fourth embodiment of the present 
Invention. 

Flg.21 shows an operation sequence of the fourth 3s 
embodiment. 

Fig.22 shows a fifth embodiment of the present in- 
vention. 

Flg.23 shows an operation sequence of the fifth em* 
bodlment. 40 
Flg.24 shows an example of a dependent Layer-3 
profile. 

Fig.25 shows a control flow of the authentication cli- 
ent section of an edge device. 
Fig.26 shows a control flow (1 ) of the service basic 
processing section of an edge device. 
Flg.27 shows a control flow (2) of the service basic 
processing section of an edge device. 
Fig.28 shows a control flow (3) of the service basic 
processing section of an edge device. so 
Fig.29 shows a control flow (4) of the service basic 
processing section of an edge device. 
Flg.30 shows a control flow of the L3 profile man- 
aging section. 

Fig.31 shows a control flow (1) of the service control 55 
device managing section of an edge device. 
Flg.32 shows a control flow (2) of the service control 
device managing section of an edge device. 



4 

Fig.33 shows a control flow (1 ) of the authentication 
proxy section of a service control device. 
Flg.34 shows a control flow (2) of the authentication 
proxy section of a service control device. 
Flg.35 shows a control flow (1 ) of the service basic 
processing section of a service control device. 
Fig.36 shows a control flow (2) of the service basic 
processing section of a service control device. 
Fig.37 shows a control flow (3) of the service basic 
processing section of a service control device. 
Fig.38 shows a control flow (4) of the service basic 
processing section of a service control device. 
Fig.39 shows acontrolfiow (1) of the service switch- 
ing section of a service control device. 
Fig .40 shows a control flow (2) of the service switch- 
ing section of a service control device. 
Flg.41 shows a control flow (1 ) of the service control 
section of a service control device. 
Fig .42 shows a control flow (2) of the service control 
section of a service control device. 
Fig .43 shows a control flow of the service Imple- 
menting section of a service control device. 
Fig .44 shows a control flow (1 ) of the authentication 
server section of an authentication server device. 
Fig.45 shows a control flow (2) of the authentication 
server section of an authentication server device. 
Flg.46 shows a control flow (1 ) of the profile transfer 
section of an authentication server device. 
Flg.47 shows a control flow (2) of the profile transfer 
section of an authentication server device. 
Fig.48 shows a control flow (3) of the profile transfer 
section of an authentication server device. 
Flg.49 shows a control flow (4) of the profile transfer 
section of an authentication server device. 
Flg.50 shows a control flow (5) of the profile transfer 
section of an authentication server device. 
Fig. 51 shows a control flow (6) of the profile transfer 
section of an authentication server device. 
Fig.52 shows a control flow of the service managing 
section of an authentication server device. 

[0014] Flg.1 shows a basic configuration of a service 
control network according to the present invention. 
[0015] In Fig.1 , a mobile terminal device 1 is moved 
and connected to an edge device 2 In an IP network 7. 
A fixed terminal device 6 Is also connected to the IP net- 
work 7 through an edge device 5. The mobile terminal 
device 1 Is a data communication terminal such as a 
mobile telephone or a notebook-sized PC, and the fixed 
terminal device 6 is a Web server device, a database 
device, an ordinary personal computer, or the like. 
[0016] The IP network 7 Is the Internet or an IP net- 
work operated by a carrier or the like, and an IPv6 net- 
work Is adopted as the IP network 7 In the present In- 
vention. The edge device 2 and the edge device 5 are 
configured with routers, etc. which manage a predeter- 
mined area (domain area) in the IP network 7. 
[0017] In the present Invention, the edge device 2, 



3 



5 



EP 1 355 473 A2 



6 



when a new mobile terminal device 1 Is connected, 
gives an IP address to the mobile terminal device 1 at 
first, and then transmits a user authentication request, 
to which the IP address and a NAI (Network Access 
Identifier) uniquely defining every terminal, which have 
been received from the mobile terminal device 1, are 
added, to a service control device 3 having a predeter- 
mined relation with the edge device 2. 
[0018] The service control device 3 transmits the re- 
ceived user authentication request to an authentication 
server device 4 as it is. The authentication server device 
4 accepts the user authentication request from the serv- 
ice control device 3, and then performs an authentica- 
tion processing for the user. When the user authentica- 
tion has succeeded, the authentication server device 4 
according to the present Invention transmits the Layer- 
3 profile and the Layer-7 profile of the user with a notice 
of the success of the user authentication , to the service 
control device 3. 

[001 9] The service control device 3 caches the Layer- 
7 profile required at the time when providing Layer-7 
service to the user, and transmits the above notice and 
a conventional Layer-3 profile to the edge device 2. The 
edge device 2 transmits a notice saying that the user 
authentication has been succeeded, to the mobile ter- 
minal device 1 , and caches the received Layer-3 profile. 
[00201 After that, the edge device 2 starts a Layer-3 
service, such as QoS or Dlff-Serv, for every user based 
on the cached Layer-3 profile as before. In addition, in 
a predetermined case, the service control device 3 Is 
provided on the communication path between the edge 
device 2 which Is a transmitter, and the edge device 5 
which Is a destination, and the service control device 3 
provides, based on a Layer-7 profiie cached before- 
hand, a Layer-7 service such as Engllsh-to-Japanese 
translation service to which the user has subscribed, 
when performing the communication concerned. 
[0021 1 In this case, the edge device 2 transfers pack- 
ets, which have been transmitted by the mobile terminal 
device 1 and satisfy a predetermined condition notified 
by the authentication server device 4, to the service con- 
trol device 3, which Interprets the Layer-7 service Infor- 
mation of the received packets and performs the service 
concerned when the Layer-7 service information satis- 
fies the service starting condition of the service control 
device 3. 

[0022] The predetermined condition is an individual 
condition such as a source IP address, a destination IP 
address, a source port number, or a destination port 
number, or a combination of some of them. When the 
edge device 2 starts to communicate with the destina- 
tion edge device 5, the processing of transferring a Lay- 
er-3 profile necessary for providing Layer-3 service Is 
performed between the edge device 2 and the edge de- 
vice 5 as before. 

[0023] As described above, in the present invention, 
when authentication of a user Is performed, the service 
control device 3 caches a Layer-7 profile of the user for 



a Layer-7 service to which the user has subscribed, and 
the edge device 2 caches a Layer-3 profile of the user 
for a Layer-3 service to which the user has subscribed. 
Thus, a Layer-3 service between the edge device 2 and 

5 the edge device 5 Is Implemented as before and, in a 
certain case, the service control device 3 is provided on 
a communication path between the both edge devices 
to provide a new Layer-7 service. 
[0024] Consequently, It Is not required to restrict the 

w service area of the service control device 3 In the IP net- 
work 7 and, even If the mobile terminal device 1 has 
moved to a network which is not providing a Layer-7 
service and utilizing it, a Layer-7 service to which the 
user of the mob lie terminal device 1 has subscribed may 

15 be provided to the user. Furthermore, several kinds of 
service control devices described below allow flexible 
and efficient service networks. 
[0025] Fig. 2 shows basic configurations of devices 
constituting the service control network shown in Fig.1 . 

20 [0026] In Flg.2, the edge device 2 has a router func- 
tion, and the service basic processing section 23 of the 
router Implements basic service such as routing 
processing through the communication processing sec- 
tion 26 having an Interface to the IP network 7. The au- 

25 thentication client section 25 accepts an authentication 
request from the mobile terminal device 1 , and commu- 
nicates with the authentication server device 4 accord- 
ing to the authentication request. 
[0027] The L3-prof He managing section 21 stores and 

30 manages Layer-3 profiles cached from the authentica- 
tion server device 4. The L3-service processing section 
22 performs Layer-3 service processing based on the 
cached Layer-3 profiles. The service control device 
managing section 24 stores and manages Information 

35 regarding the service control device 3 described next. 
The edge device 5 has the processing sections 51 to 54 
which are basically identical with the above. However, 
as a fixed terminal device 6 such as a Web server Is 
connected to the edge device 5, processing sections like 

to the sections 24 and 25 of the edge device 2 related to 
authentication are not provided. 
[0028] The service control device 3 provides a Layer- 
7 service. The service control device 3 according to the 
present invention is configured in three types described 

<* with reference with Flg.3, but Fig, 2 shows only a tightly 
edge-coupled service control device which Is a typical 
service control device. The profile managing section 31 
of the service control device 3 stores and manages Lay- 
er-7 profiles and independent Layer-3 profiles cached 

so from the authentication server device 4. The L7-service 
processing section 33 performs Layer-7 service 
processing based on the cached Layer-7 profiles. The 
authentication proxy section 32 relays control signals for 
authentication transferred between the edge device 2 

55 and the authentication server device 4. 

[0029] The authentication server device 4 performs 
authentication processing for the mobile terminal devic- 
es 1 connected to the edge device 2 based on the stored 
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authentication Information. The authentication server 
processing section 42 keeps Layer-3 profiles and Layer- 
7 profiles of mobile terminal devices 1 1n addition to the 
authentication Information. The authentication server 
processing section 42 accepts an authentication re- s 
quest from the edge device 2 relayed by the authenti- 
cation proxy section 32 of the service control device 3, 
and then attaches the Layer-3 profile and Layer-7 profile 
of a mobile terminal device concerned to the notification 
of the success of the authentication, and transmits them 
to the service control device 3. 
[00301 Flg-3 shows more detail block configurations 
of the service control device and the authentication serv- 
er device shown In Rg.2. 

[0031] As shown In Fig. 3, there are three types of 
service control devices 3 according to the present In- 
vention, that Is, a tightly edge-coupled service control 
device 3-1 , a loosely edge-coupled service control de- 
vice 3-2, and a function-dependent service control de- 
vice 3-3. 

[0032] The tightly edge-coupled service control de- 
vice is a service control device which provides a Layer- 
7 service, in conjunction with one or more particular 
edge devices which are allowed to have a logical con- 
nection relation, to users managed by the edge devices, 
in Flg.3, the tightly edge-coupled service control device 
3-1 provides a Layer-7 service In conjunction with a par- 
ticular edge device 2. 

[0033] The loosely edge-coupled service control de- 
vice is a service control device allowed to have a logical 
connection relation to all edge devices, and provides 
Layer-7 service, in conjunction with the edge devices, 
to users managed by the edge devices. 
[0034] In Fig.3, the loosely edge-coupled service con- 
trol device 3-2 provides a Layer-7 service, also In con- 
junction with other edge devices (not shown) such as a 
edge device 5, to users managed by the edge devices, 
without restricting to the edge device 2. 
[0035] The function-dependent service control device 
Is a service control device which provides a Layer-7 
service, in conjunction with tightly edge-coupled service 
control devices and/or loosely edge-coupled service 
control devices, to users managed by edge devices hav- 
ing a logical connection relation with the service control 
devices. In Flg.3, the function-dependent service control 
device 3-3 provides a Layer-7 service, In conjunction 
with the tightly edge-coupled service control device 3-1 
and the loosely edge-coupled service control device 
3-2, to users managed by the edge device 2 etc., having 
a logical connection relation with the service control de- 
vices 3-1 and 3-2. 

[0036] in the tightly edge-coupled service control de- 
vice 3-1 , the L7-servlce processing section 33 shown In 
Flg.2 consists of a service control section 331 , a service 
switching section 332, a service basic processing sec- 
tion 333, and a service implementing section 334. The 
service control section 331 controls Layer-7 service 
while referring to Layer-7 profiles In the profile managing 



section 31 . 

[0037] The service switching section 332 has a func- 
tion of making a connection with the service basic 
processing section 333 described next, and controls the 
service basic processing section 333 and determines 
whether the starting condition for a Layer-7 service has 
been satisfied, based on a service control request from 
the service control section 331 . 
[0038] The service basic processing section 333 
builds up Layer-7 information from packets received 
from the communication processing section 34, notifies 
the Layer-7 Information to the service switching section 
332, and divides Layer-7 information notified from the 
service switching section 332 Into packets to output 
them to the communication processing section 34. The 
service Implementing section 334 Implements an actual 
Layer-7 service In conjunction with the service basic 
processing section 333. 

[0039] Configuration of each section of the loosely 
edge-coupled service control device 3-2 Is Identical with 
that of the tightly edge-coupled service control device 
3-1 described above. However, the loosely edge-cou- 
pled service control device 3-2 targets all of the edge 
devices of the IP network 7, and thereby It Is not required 
to distribute a profile to the service control device dy- 
namically every time a mobile terminal Is authenticated. 
For this reason, the authentication server communica- 
tion section 37 communicating with the authentication 
server device 4, obtains necessary profiles from the au- 
thentication server device 4, and notifies Information 
about itself to the authentication server device 4. 
[0040] Furthermore, configuration of each of the sec- 
tions of the function-dependent service control device 
3-3 Is, In principle, Identical with that of the tightly edge- 
coupled service control device 3-1 or the loosely edge- 
coupled service control device 3-2. However, the func- 
tion-dependent service control device 3-3 is so config- 
ured that It provides only some useful functions effec- 
tively without having ail of their functions. 
[0041] In Flg.3, the function -dependent service con- 
trol device 3-3 depends on the tightly edge-coupled 
service control device 3-1 In functions related to authen- 
tication processing, while being provided with a service 
control section 35 and a L7-profile/service managing 
section 36 having a function limited to a Layer-7 service 
In order to provide many different Layer-7 service to 
more users. The service control section 35 shown In Fig. 
3 functions like the service control section 331 described 
above and controls a Layer-7 service while referring to 
Layer-7 profiles in the L7-profile/service managing sec- 
tion 36. 

[0042] Next, concerning the authentication server de- 
vice 4, the authentication server processing section 42 
shown In Flg.2 consists of an authentication server sec- 
tion 421, a profile/service managing section 422, a pro- 
file transferring section 423, and a service control device 
managing section 424. The authentication server 421 
keeps information necessary for user authentication 
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and performs user authentication processing. The pro- 
file/service managing section 422 keeps Information 
about service, Layer-7 profiles, Independent-type Lay- 
er-3 profiles, and dependent-type Layer-3 profiles. The 
difference between Independent-type and dependent- 
type will be described later. 

[0043] The profile transferring section 423 analyzes 
profiles to be transmitted to the tightly edge-coupled 
service control device 3*1 and the loosely edge-coupled 
service control device 3-2, and transfers Layer-7 profiles 
to the loosely edge-coupled service control device 3-2. 
The service control device managing section 424 man- 
ages information related to the tightly edge-coupled, 
loosely edge-coupled, and function-dependent service 
control devices. Lastly, the service implementing server 
device 8 added in Flg.3 will be described briefly. The 
service implementing server device 8 is an application 
server provided for providing Layer-7 service on the IP 
network 7. As an example, the service implementing 
section 82 of the service Implementing server device 8 
receives an English-to-Japanese translation request 
from the tightly edge-coupled service control device 3-1 , 
and then starts the processing of En gllsh-to- Japanese 
translation and transmits the result of the processing to 
the tightly edge-coupled service control device 3-1 . 
[0044] In the following descriptions, the first to fifth 
embodiments of the present Invention are discussed 
first. After that, detail control flows of the above sections 
(processing functions), which realize these embodi- 
ments, are discussed. 

[0045] Figs.4 to 13b show a first example of the 
present Invention. Fig. 4 shows a first example configu- 
ration of a service control network according to the 
present invention, Ftg.5 shows an operation sequence 
of It, and Flgs.6 to 1 3B show an example of service pro- 
files, etc. 

[0046] In a specific example shown in Fig. 4 of the 
service control network shown In Flg.1 , a mobile termi- 
nal (MT) 1 , edge devices (E1 and E2) 2 and 5, a Web 
server device (WS) 6, an authentication server device 
(Auth) 4, tightly edge-coupled service control devices 
(SC1 and SC2) 3-10 and 3-1 1 , and Internet 7 are used. 
The feature of this example is that the tightly edge-cou- 
pled service control devices 3-1 0 and 3-1 1 operating in 
conjunction with the particular edge device 2 are provid- 
ed. 

[0047] Each of the tightly edge-coupled service con- 
trol devices 3-10 and 3-11 is directly connected to the 
edge device 2 without going through the Internet 7 and, 
thereby, all communication between the tightly edge- 
coupled service control device 3-10 or 3-11 and an ex- 
ternal device is performed through the edge device 2. 
The mobile terminal 1 has "mt^domainX" as an NAI 
(Network Access identifier), and the user of It has sub- 
scribed to U RL filtering service of a Layer-7 service, and 
Diff-Serv of a Layer-3 service. 
[0048] The operation of the first embodiment Is de- 
scribed below with reference to Flg.5. In the following 



embodiment, description is made respectively to the op- 
eration of Implementing a Layer-7 service only, the op- 
eration of Implementing a Layer-7 service and a Layer- 
3 service operated In conjunction with each other, and 
5 the operation of Implementing Layer-3 service only. 

(1 ) The tightly edge-coupled service control device 3-1 0 
periodically notifies the present load status to the par- 
ticular edge device 2 capable of operating In conjunction 
with it. In addition, the tightly edge-coupled service con- 

10 trol device 3-10 notifies the number of registered users 
and the number of registered Layer-7 profiles managed 
by the edge device 2 to the edge device 2 using the 
same signal. According to the above notification, the 
edge device 2 creates a tightly edge-coupled service 

15 control device management table as shown In Flg.6 and 
renews it. 

(2) Like the tightly edge-coupled service control device 
3-10, the tightly edge-coupled service control device 
3-11 periodically notifies the present load status to the 

20 particular edge device 2 capable of operating In con- 
Junction with It. According to the above notification, the 
edge device 2 add the tightly edge-coupled service con- 
trol device 3-11 to the tightly edge-coupled service con- 
trol device management table. In the example shown In 

25 Fig. 6, the load (50) of the tightly edge-coupled service 
control device 3-10 is smaller than the load (70) of the 
tightly edge-coupled service control device 3-11 . 

(3) Next, when the mobile terminal 1 has been moved 
and is managed by the edge device 2; the edge device 

30 2 assigns an IF address (Addr(MT)) to the mobile termi- 
nal 1 . The mobile terminal 1 transmits an authentication 
request message Including its NAI (mtOdomalnX) and 
the aforementioned IP address to the edge device 2. 

(4) The edge device 2 refers to the aforementioned tight- 
35 iy edge-coupled service control device management ta- 
ble, and selects the tightly edge-coupled service control 
device 3-1 0 having a smaller load based on the load in- 
formation In the table. The edge device 2 then transmits 
the aforementioned authentication request message to 

4> the selected tightly edge-coupled service control device 
3-10. 

(5) The tightly edge-coupled service control device 3-10 
receives the authentication request message, and then 
transmits an authentication request message, in which 

45 a service control device identifier SC-ID (= 5C1) of a 
transmitter is further set, to the authentication server de- 
vice 4 managing the mobile terminal 1 . 

(6) The authentication server device 4 performs authen- 
tication processing for the mobile terminal 1 when re- 

50 ceiving the aforementioned authentication request mes- 
sage. When succeeding the authentication, the authen- 
tication server device 4 retrieves the profile (see Flg.9) 
of the mobile terminal 1 using the NAI (mt@domainX) 
of the mobile terminal as a keyword. In the example 

55 shown in Fig.9, it is understood that the user of the mo- 
bile terminal 1 has subscribed to a URL filtering service 
(service ID = 1) which Is a Layer-7 service, and a Diff- 
Serv (service ID = 2) which is a Layer-3 service. 
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[0049] The profile with a profile ID of P1-1 shown In 
Fig. 9 is a Layer-7 profile, and the dependent Layer-3 
profile of It Is configured as shown In Fig. 1 0. Fu rther, the 
profile with a profile ID of P1-2 is an independent Layer- 

3 profile. Likewise, the profile with a profile ID of P1 -3 Is 
an Independent Layer-3 profile. 

[0050] In this description, "dependent" means that a 
Layer-3 service Is dependent on a Layer-7 service, and 
the dependent Layer-3 profile defines Layer-3 service 
provided under Layer-7 service. On the other hand, "in- 
dependent 0 means that Layer-3 service is defined inde- 
pendently of Layer-7 service. The Independent Layer-3 
profile (ID = P1-2) is cached and used by the edge de- 
vice 2 managing the mobile terminal 1, and the Inde- 
pendent Layer-3 profile (ID = P1 -3) is cached and used 
by the edge device 5 managing the Web server device 
6 which Is the communication partner of the mobile ter- 
minal 1 . For this reason, different priorities can be ap- 
plied to each of an upward signal and a downward signal 
of DlffServ. 

[0051] Next, the authentication server device 4 re- 
trieves the service management table shown In Fig.7, 
confirms that the service (service ID = 1) can Decontrol- 
led by a service control device having a service control 
device identifier (SC-ID = SC1) included In the afore- 
mentioned request, and that the service control device 
Is atlghtly edge-coupled service control device, and rec- 
ognizes, based on this confirmation, that It is necessary 
to provide Layer-7 profiles dynamically. The word "dy- 
namically 0 means that the authentication server device 

4 transfers and provides a Layer-7 profile, at terminal 
authentication, for the service control device which 
needs the Layer-7 profile. 

[0052] Next, the authentication server device 4 refers 
to the service control device address management table 
shown in Fig. 8, and obtains a service reception address 
(Addr(SC1-1), port number 80) of the tightly edge-cou- 
pled service control device 3-1 0 using the previously ob- 
tained service ID (=1) and SC-ID (=SC1) as a retrieval 
key. The authentication server device 4 creates, based 
on this service reception address, a dependent Layer-3 
profile (see Flg.11) which defines that a destination of 
packets, to which Layer-7 service (URL filtering service) 
is applied, of the packets transmitted from the mobile 
terminal 1 , is the tightly edge-coupled service control de- 
vice 3-10. 

[0053] Further, the profile reception address shown in 
Fig.8 is a profile destination address used when the au- 
thentication server device 4 transmits a profile to a 
loosely edge-coupled service control device dynamical- 
ly or statically. In this embodiment, both of SC1 (3-11) 
and SC2 (3-1 2) are tightly edge-coupled service control 
devices, no address ( - ) is set In the profile reception 
address columns for SC1 and SC2. 
[0054] In case of the dependent Layer-3 profile (P1-4) 
shown in Fig. 11 , when a packet received from the mo- 
bile terminal 1 satisfies a "transfer condition", that Is, 
when the address of the source of the received packet 



agrees with the IP address (Addr(MT)) of the mobile ter- 
minal 1 and the destination TCP port Is "80" (HTTP serv- 
ice), the received packet Is transferred to the service re- 
ception address (Addr(SC1-1), port number 80) of the 

5 tightly edge-coupled service control device 3-10. 
[0055] Furthermore, In case of the Independent Lay- 
er-3 profile (P1 -2) shown in Fig.1 2, the IP address (Addr 
(MT)) of the mobile terminal 1 is set as a source IP ad- 
dress which Is a "condition", and the edge device 2 

io transmits packets received from the mobile terminal 1 
to a destination according to the priority of DSCP (Dlff- 
Serv Cord Point) value "X". 

[0056] in case of the independent Layer-3 profile 
(P1-3) shown In Flg.l3A, when a user does not obtain 

15 a Layer-7 service but obtains a Layer-3 service only, the 
IP address (Addr(MT)) of the mobile terminal 1 1s set as 
a destination IP address which Is a "condition". For this 
reason, a Layer-3 service Is provided to packets directly 
transmitted, without through a service control device, to 

20 the mobile terminal 1 from the device communicating 
with it and, thereby, a Layer-3 service can be provided 
in both of the upward directions and downward direction 
of the mobile terminal. Further, In case of the Independ- 
ent Layer-3 profile (SP-13) shown In Flg.13B, when a 

2$ user obtains a Layer-7 service and a Layer-3 service, 
an IP address (Addr(SC1 -2)) of the tightly edge<oupled 
service control device 3-1 0 Is set. For this reason, pack- 
ets transmitted by the Web server which is a communi- 
cation partner are relayed by the tightly edge-coupled 

so service control device 3-1 0, and thereby Layer-3 service 
can be provided in both of the upward directions and 
downward direction of the mobile terminal. 
[0057] Lastly, when transmitting an authentication re- 
sponse message to the tightly edge-coupled service 

as control device 3-10, the authentication server device 4 
Includes the Layer-7 profile (P1 -1) related to the afore- 
mentioned Layer-7 service and its dependent Layer-3 
profile (P1-4), and the Independent Layer-3 profiles 
(P1 -1 and 1 -3) In the response message and transmits 

*o them to the tightly edge-coupled service control device 
3-10. 

(7) The tightly edge-coupled service control device 3-1 0 
receives the authentication response message, and 
then caches the Layer-7 profile (P1-1) necessary for 

43 providing Its Layer-7 service, and the independent Lay- 
er-3 profiles (P1 -3) to be transferred to the edge device 
5 managing the device 6 which Is the communication 
partner, and transmits an authentication response mes- 
sage, in which the independent Layer-3 profiles (P1-2 

so and P1 -3) and the dependent Layer-3 profile (P1 -4) are 
set, to the edge device 2. 

(8) The edge device 2 receives the authentication re- 
sponse message, and then caches the independent 
Layer-3 profiles (P1 -2 and P1 -3) necessary for providing 

55 its Layer-3 service, and the dependent Layer-3 profile 
(P1-4) related to the providing of Layer-7 service, and 
transmit an authentication response message not In- 
cluding them to the mobile terminal 1. 
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(9) The mobile terminal 1 transmits a content requesting 
packet to the Web server device 6 which Is the commu- 
nication partner after confirming the authentication re- 
sponse, and the edge device 2 stores the content re- 
questing packet for a certain period and determines 
whether the content requesting packet matches the con- 
dition defined in the Layer-3 profile (P1-2) or the de- 
pendent Layer-3 profile (P1-4). In this case, the source 
IP address and the destination TCP port of the received 
packet matches all of the conditions, which are defined 
as the "conditions 0 of the Independent Layer-3 profile 
and the "transfer conditions" of the dependent Layer-3 
profile. 

[0058] For this reason, the received packet Is encap- 
sulated by a packet In which the DSCP value of the 
packet header Is "X", and the destination IP address In- 
cludes the I P address (Add r(SC1 -1 )) of the tightly edge- 
coupled service control device 3-10. At that time, a pro- 
file ID (= P1 -1 ) related to the matched Layer-7 profile is 
set to the Ipv6 extended header. Thus, the packet in 
which the DSCP value Is "X" Is transferred from the edge 
device 2 to the tightly edge-coupled service control de- 
vice 3-10. 

[0059] When the packet Is transferred from the edge 
device 2 to the tightly edge-coupled service control de- 
vice 3-10, the destination IP address of the received 
packet may be rewritten to the IP address (Addr(SC1 -1 )) 
of the tightly edge-coupled service control device 3-10. 
In addition, when the edge device 2 and the tightly edge- 
coupled service control device 3-10 are connected di- 
rectly without through a router or the like, as configured 
In this embodiment, all of the packets satisfying the con- 
ditions may be transferred directly to the tightly edge- 
coupled service control device 3-10, Instead of rewriting 
the destination IP address. 

(10) The tightly edge-coupled service control device 
3-1 0 receives a packet from the edge device 2, and then 
builds up Layer-7 Information and performs determina- 
tion about a Layer-7 trigger based on the Layer-7 Infor- 
mation. The Layer-7 service starting condition trigger Is 
set, for example, In the service switching section 332 
(Flg.3), and In case of the URL filtering service In this 
embodiment, the Layer-7 trigger is detected by the start- 
ing condition "a content request message has oc- 
curred". 

[0060] In this case, as the tightly edge-coupled serv- 
ice control device 3-10 has already received the 
matched profile ID (= P1-1) from the edge device 2, It 
can recognize the corresponding Layer-7 profile (P1-1) 
easily. The tightly edge-coupled service control device 
3-1 0 learns, from the Layer-7 profile, that the user of the 
mobile terminal 1 concerned has subscribed to an URL 
filtering service such as a service of blocking the access 
to a pay content, and then performs the URL filtering 
service for the received URL using the URL access list. 
[0061] When the content request message passes 
the URL filter, the tightly edge-coupled service control 
device 3-1 0 recognizes, from the DSCP value M X H set In 



the header of the received packet, that Layer-3 service 
(DlffServ) Is applied for the transfer of the packet. For 
this reason, the tightly edge-coupled service control de- 
vice 3-10 reserves Its I P address (Addr(SC 1 -2)) and port 

5 number (Port (SC1-2)), and sets this Information In the 
Independent Layer-3 profile (SP1-3), based on the In- 
dependent Layer-3 profile (P1-3), to transmit the inde- 
pendent Layer-3 profile to the edge device 2 (Flg.1 3B). 
[0062] The edge device 2 stores the received inde- 

io pendent Layer-3 profile, for a certain period, In prepa- 
ration for a Layer-3 profile request message from the 
edge device 5 managing the Web server device 6 with 
which the edge device 2 is communicating. 

(11) The tightly edge-coupled service control device 
15 3-1 0 transmits the content request message which has 

passed the URL f llterto the Web server device 6 through 
the edge device 2. In the header of this transmission 
packet, the reserved source IP address (Addr(SC1-2) 
and TCP port number (Port (SC1-2)), and the same 

20 DSCP value "X" as the received packet are set. The 
edge device 5 with which the tightly edge-coupled serv- 
ice control device 3-10 Is communicating receives the 
packet having DSCP value "X", and then usually clears 
the DSCP value when outputtlng the packet to the Web 

25 server device 6. 

(1 2) The Web server device 6 transmits a content re- 
sponse to the tightly edge-coupled service control de- 
vice 3-10. The destination IP address and destination 
port number of the packet to be transmitted are "Addr 

30 (SC1 -2)" and "port(SC1 -2)" respectively. 

(1 3) The content response passes through the edge de- 
vice 5 managing the Web server 6, and then the edge 
device 5 transmits a Layer-3 profile request message to 
the edge device 2 which Is the transmitter of the Layer- 

35 3 profile. 

(1 4) The edge device 2 receives the Layer-3 profile re- 
quest message, and then sets the independent Layer- 
3 profile previously received from the tightly edge-cou- 
pled service control device 3-1 0 in a corresponding Lay- 

40 er-3 profile response message and transmits it to the 
edge device 5. The edge device 5 caches the received 
independent Layer-3 profile, and allows the Independ- 
ent Layer-3 profile to be applied to packets received 
from the web server 6. 

45 [0063] After that, It Is determined whether a packet 
transmitted by the Web server 6 matches the condition 
of the Layer-3 profile (SP1-3) when the packet passes 
through the edge device 5, and a Layer-3 service is ap- 
plied to a packet matching the condition. In other words, 

so »xr is set to the DSCP value of the header of the packet. 

(15) The tightly edge-coupled service control device 
3-10 receives the content response from the Web server 
6 through the edge device 5, and then transmits the con - 
tent response to the edge device 2. The edge device 2 

55 clears the DSCP value "X" of the received packet and 
then transmits the packet to the mobile terminal 1 . The 
mobile terminal 1 does not have to clear the DSCP value 
"X° because it does not make a determination regarding 
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a DSCP value. 

[0064] Figs. 14 to 17 show a second embodiment of 
the present Invention. Flg.14 shows a second example 
configuration of a service control network according to 
the present Invention, Fig. 15 shows an operation se- 
quence of It, and Figs. 1 6 and 1 7 show an example of a 
service profile, etc. 

[0065] In Flg.14, an edge device (E1) 2 connects with 
a tightly edge-coupled service control devlce(SC1 )3-1 0, 
and another edge device (Ex) 9-1 connects with a tightly 
edge-coupled service control devlce(SC2)3-20. Fur- 
thermore, a service Implementing server device(SE)8 is 
added, which implements English-to-Japanese transla- 
tion processing. The service control devlce(SC2)3-20 In 
this embodiment is a loosely edge-coupled service con- 
trol device for the edge device (El) 2 as shown with a 
dotted line in the figure. 

[0066] Users in this embodiment have subscribed to 
a content English-to-Japanese translation service of a 
Layer- 7 service and DfffServ of a Layer-3 service. Fig. 
16 shows an example of a Layer-7 profile (P2-1). The 
figure of Its dependent Layer-3 profile (P2-4) is omitted 
because it Is Identical to the dependent Layer-3 profile 
(P1-4)ln Rg.11. 

[0067] Fig.17 shows an example of an independent 
Layer-3 profile (SP2-3) cached by the edge device 5 
with which the edge device 2 communicates. The fig- 
ures of Independent Layer-3 profiles (P2-2 and P2-3) 
cached by the edge device 2 are omitted because they 
are Identical with the independent Layer-3 profiles (PI -2 
and P1-3) in Figs.12 and 13A. 
[0068] The operation of the second embodiment Is 
described below with reference to Fig. 15. 
(1) to (3) are Identical with (3) to (5) of the first embod- 
iment except that the edge device 2 transmits an au- 
thentication request message to the only one tightly 
edge-coupled service control device 3-10 with which the 
edge device 2 can connect. 
(4) The authentication server device 4 receives afore- 
mentioned authentication request message, and then 
performs authentication processing for the mobile ter- 
minal 1 . When the authentication server device 4 has 
succeeded in the authentication, it requests information 
on the service to which the mobile terminal 1 has sub- 
scribed in the same manner as the first embodiment. In 
other words, the authentication server device 4 retrieves 
the profile of the mobile terminal 1 concerned using the 
N Al (mt OdomalnX) of the mobile terminal as a keyword, 
and recognizes, based on the service ID obtained from 
the profile, that the mobile terminal 1 has subscribed to 
a content Engllsh-to- Japanese translation service which 
is a Layer-7 service, and DlffServ which is a Layer-3 
service. 

[0069] Next, the authentication server device 4 re- 
trieves the service management table to confirm that 
English -to-Japanese translation corresponding to the 
obtained service ID can be controlled by the loosely 
edge-coupled service control devlce(SC2)3-20 and It is 



necessary to provide profiles dynamically. Furthermore, 
the authentication server device 4 retrieves the service 
control device address management table to obtain the 
service reception address of the loosely edge-coupled 

s service control devlce(SC2)3-20, and the profile recep- 
tion address In case of this embodiment, using the ob- 
tained service ID and SC-ID as a retrieval key. 
[0070] The authentication server device 4 transmits a 
profile transmission message, which Includes the creat- 

10 ed Layer-7 profile (P2-1) and the Independent Layer-3 
profile (P2-3), and In which the aforementioned profile 
reception address is set in the destination address, to 
the loosely edge-coupled service control device 3-20. 

(5) The loosely edge-coupled service control device 
13 3.20 caches the received Layer-7 profile (P2-1 ) and In- 
dependent Layer-3 profile (P2-3), and then transmits a 
profile response message to the authentication server 
device 4. 

(6) The authentication server 4 reads the profile re- 
20 sponse, and then transmits an authentication response 

message, in which a dependent Layer-3 profile (P2-4) 
and an Independent Layer-3 profile (P2-2) related to the 
aforementioned Layer-7 profile are set, to the tightly 
edge-coupled service control devlce(SG1)3-10 which 
25 requested the authentication. In the IP address to which 
the dependent Layer-3 profile is transferred, the service 
reception address (Addr(SC2-1)) of the loosely edge- 
coupled service control device 3-20 is set. 

(7) The tightly edge-coupled service control device 3-10 
30 receives the authentication response message, and 

then recognizes that the Layer-7 profile (P2-1) is not set 
In the authentication response message, and transmits 
the received authentication response message to the 
edge device 2 as It Is. The authentication response mes- 
as sage has no profile to be cached by the tightly edge- 
coupled service control device 3-10. 

(8) The edge device 2 receives the authentication re- 
sponse message, and then caches the Independent 
Layer-3 profiles (P2-2 and P2-3) and the dependent 

to Layer-3 profile (P2-4) to transmit an authentication re- 
sponse message, which does not include these profiles, 
to the mobile terminal 1 . 

(9) After that, the mobile terminal 1 transmits a content 
request packet to the Web server device 6, and then the 

<5 edge device 2 stores it for a certain period, to transmit 
a packet by which the received packet Is encapsulated 
and which has the destination IP address (Addr(SC2-1 ) 
and the DSCP value "X", by the same processing as (9) 
of the first embodiment, to the loosely edge-coupled 

50 service control device 3-20. 

(1 0) The loosely edge-coupled service control device 
(SC2)3-20 receives a packet, and then builds up Layer- 
7 Information and performs determination about a Lay- 
er-7 trigger. As the content request does not contain any 

55 content for translation, the Layer-7 trigger is not detect- 
ed. Next, the loosely edge-coupled service control de- 
vlce(SC2)3-20 recognizes that Layer-3 service (Dlff- 
Serv) Is applied to the received packet, and reserves its 
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IP address (Addr(SC2-2)) and port number (Port 
(SC2-2)), and sets them In the Independent Layer-3 pro- 
file (SP2-3) 3-20 (Flg.17). 

[0071] The loosely edge-coupled service control de- 
vice 3-20 specifies the edge device 5, to which the In- 
dependent Layer-3 profile will be transmitted, based on 
the destination address of the Web server device 6, and 
then transmits the Independent Layer-3 profile con- 
cerned to the edge device 5. Hie edge device 5 caches 
the received Independent Layer-3 profile (SP2-3). 

(11 ) After that, the loosely edge-coupled service control 
device 3-20 transmits the content request, in which a 
Layer- 7 trigger has not been detected, to the Web server 
device 6 directly. At that time, "Addr(SC2-2r Is set to 
the IP address of a packet transmitter, n Port(SC2-2) B Is 
set to the TCP port number of the packet transmitter, 
and the DSCP value H X n identical with that of the re- 
ceived packet is set to the DSCP value of the header. 
The edge device 5 clears the DSCP value "X" of the re- 
ceived packet, and then transmits the packet to the Web 
server device 6. 

(12) The Web server device 6 transmits a content re- 
sponse corresponding to the received content request 
to the edge device 5. The destination of the packet Is 
the loosely edge-coupled service control device 3-20, 
the destination IP address of the packet Is set to "Addr 
(SC2-2) a , and the destination TCP port number of the 
packet Is set to B Port(SC2-2) n . When the packet passes 
through the edge device 5, Layer-3 service correspond- 
ing to the previously cached. Independent Layer-3 pro- 
file (SP2-3) is applied to the packet because the packet 
matches the Independent Layer-3 profile, and the DSCP 
value of the packet Is set to "X*. 

(13) The loosely edge-coupled service control device 
3-20 builds up Layer- 7 Information about the received 
packet, and performs determination of the Layer-7 trig- 
ger. In this embodiment, the content transmitted by the 
Web server 6 Is an English content, and thereby the Lay- 
er-7 trigger Is detected. As a result, the loosely edge- 
coupled service control device 3-20 transmits a content 
processing request to the service Implementing server 
devlce(SE)8 which Implements an Engllsh-to-Japanese 
translation service. 

(14) The service implementing server device 8 performs 
EngllsfHo-Japanese translation processing of the re- 
ceived English content, and transmits the obtained Jap- 
anese content to the loosely edge-coupled service con- 
trol device 3-20. 

(15) The loosely edge-coupled service control device 
3-20 transmits a content response including the Japa- 
nese content to the mobile terminal 1 . At that time, the 
edge device 2 clears the DSCP value "X" of the packet 
when relaying It. 

[00721 Figs. 18 and 19 show a third embodiment of the 
present invention. Fig.1 8 shows a third example config- 
uration of a service control network according to the 
present Invention, and Fig. 19 shows an example of Its 
operation sequence. In Flg.18, the edge device 2 does 



not connect with a tightly edge-coupled service control 
device. Another edge device (EX) 9-1 connects with a 
tightly edge-coupled service control devlce(SC 1)3-20. 
Also In this embodiment, the service control device 

s (SC1 )3-20 Is a loosely edge-coupled service control de- 
vice for the edge device (E1) 2 as shown by a dotted 
line in the figure. The mobile terminal 1 in this embodi- 
ment has subscribed to an Engllsh-to-Japanese trans- 
lation service which Is a Layer-7 service, but not to a 

to Layer-3 service. 

[0073] The operation of the third embodiment is de- 
scribed below with reference to Flg.1 9. 
(1 ) and (2) are identical to the second embodiment ex- 
cept that the edge device 2 transmits an authentication 

is request message to the authentication server device 4 
directly because there Is no tightly edge-coupled service 
control device with which the edge device 2 can con- 
nect 

(3) The authentication server device 4 receives the au- 

20 thendcatlon request message, and then performs au- 
thentication processing for the mobile terminal 1 . When 
the authentication server device 4 has succeeded In the 
authentication, It specifies the service, to which the mo- 
bile terminal 1 has subscribed, In the same manner as 

25 in the second embodiment. As a result of this, the Eng- 
lish-to-Japanese translation can be controlled by the 
loosely edge-coupled service control devlce(SC1)3-20, 
and It Is also recognized, in case of this embodiment, 
that Layer-7 profiles are provided statically. 

30 [0074] The word "statically" means that a Layer-7 pro- 
file has been provided for a predetermined service con- 
trol device In such manner that it is kept In the predeter- 
mined service control device and, in this embodiment, 
the loosely edge-coupled service control device 3-20 

35 holds the Layer-7 profile. The authentication server de- 
vice 4 further recognizes that the mobile terminal 1 has 
not subscribed to a Layer-3 service. As a result, the au- 
thentication server device 4 creates only a dependent 
Layer-3 profile (P3-4) related to Engllsh-to-Japanese 

40 translation service, sets it to the authentication response 
message, and then transmits the response message to 
the edge device 2. The configuration of the aforemen- 
tioned dependent Layer-3 profile (P3-4) is identical to 
that shown in Fig. 11. 

45 (4) The edge device (E1 ) 2 receives the authentication 
response message, and then caches the dependent 
Layer-3 profile (P3-4), to transmit the authentication re- 
sponse message, In which the profile Is not included, to 
the mobile terminal 1 . 

so (5) The operation after that is identical with (9) to (15) 
of the second embodiment. However, as a Layer-3 serv- 
ice is not applied in this embodiment, It Is excepted that 
a profile corresponding to the Independent Layer-3 pro- 
file (SP3-3) Is transmitted from the loosely edge-coupled 

55 service control device 3-20 to the edge device 5 ((1 0) in 
the second embodiment). 

[0075] Figs. 20 and 21 show a fourth embodiment of 
the present Invention. Fig.20 shows a fourth example 
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configuration of a service control network according to 
the present Invention, and Fig .21 shows an example of 
Its operation sequence. 

[00761 In Rg.20, the edge device (E1) 2 does not di- 
rectly connect with a service control device, but another 
edge device (Ex) 9-1 connects with a tightly edge-cou- 
pled service control device(SC 1)3-1 0. Another edge de- 
vice (Ey) 9-2 connects with a function-dependent serv- 
ice control devtce(SC2)3-30. The function-dependent 
service control devlce<SC2)3-30 performs service con- 
trol utilizing the function of another service control de- 
vice 3-10. 

[00771 The service control device 3-1 0 is not directly 
connected to the edge device 2, but Is a tightly edge- 
coupled service control device for the edge device 2 as 
shown with a solid line In the figure. The mobile terminal 
1 in this embodiment has subscribed to a URL filtering 
service which Is a Layer-7 service, but not to a Layer-3 
service. 

[0076] The operation of the fourth embodiment Is de- 
scribed below with reference to Fig. 21 . 
(1 ) to (3) are Identical to (3) to (5) of the first embodiment 
except that the edge device 2 transmits an authentica- 
tion request message through the network 7 to only one 
tightly edge-coupled service control device 3-10 with 
which the edge device 2 can connect. 

(4) The authentication server device 4 receives the 
aforementioned authentication request message, and 
then performs authentication processing for the mobile 
terminal 1 concerned. When the authentication server 
device 4 has succeeded in the authentication, it speci- 
fies the service, to which the mobile terminal 1 has sub- 
scribed, In the same manner as the first embodiment In 
this embodiment, the authentication server device 4 rec- 
ognizes that URL filtering service can be controlled by 
the function-dependent service control device 3-30, 
which can be connected to the tightly edge-coupled 
service control device 3-10. 

[0079] The authentication server device 4 further rec- 
ognizes that the mobile terminal 1 has not subscribed 
to Layer-3 service. As a result, the authentication server 
device 4 creates only the dependent Layer-3 profile 
(P4-4) related to URL filtering service, sets it to the au- 
thentication response message, and transmits the re- 
sponse message to the tightly edge-coupled service 
control device 3-10. 

[0060] The configuration of the aforementioned de- 
pendent Layer-3 profile (P4-4) Is identical with that 
shown in Fig. 11. 

(5) The tightly edge-coupled service control device 3-1 0 
receives the authentication response message, and 
then recognizes that the Layer-7 profile (P4-1 ) is not set 
In the authentication response message, to transmit the 
received authentication response message to the edge 
device 2 as it is. 

(6) The edge device 2 receives the authentication re- 
sponse message, and then caches the dependent Lay- 
er-3 profile (P4-4) to transmit the authentication re- 



sponse message, In which the profile is not included, to 
the mobile terminal 1 . 

(7) The mobile terminal 1 transmits a content request 
packet to the Web server device 6, and then the edge 

5 device 2 stores It for a while. In this embodiment, the 
packet Is transmitted to the tightly edge-coupled service 
control device 3-10 because it matches the dependent 
Layer-3 profile (P4-4). 

(8) The tightly edge-coupled service control device 3-1 0 
10 receives the packet, and then builds up Layer-7 Infor- 
mation to perform determination about a Layer-7 trigger. 
The tightly edge-coupled service control device 3-1 0 de- 
tects a Layer-7 trigger, and then notifies the function- 
dependent service control device 3-30. 

1* (9) The function-dependent service control device 3-30 
manages and Implements the URL filtering service. 
When the content request packet has passed the URL 
filter, the function-dependent service control device 3-30 
transmits a service control request to the tightly edge- 

20 coupled service control device 3-1 0 to request the con- 
nection to the Web server device 6. 
{1 0) The tightly edge-coupled service control device 
3-10 receives the aforementioned service control re- 
quest and then restarts the processing to transmit a con- 

25 tent request to the Web server device 6. 

(11) The Web server device 6 transmits a content re- 
sponse to the tightly edge-coupled service control de- 
vice 3-10. 

(12) The tightly edge-coupled service control device 
so 3-10 receives the packet showing the content response, 

and then builds up Layer-7 information to perform de- 
termination about a Layer-7 trigger and a Layer-7 event. 
In this embodiment, the tightly edge-coupled service 
control device 3-1 0 does not detect any one of the Lay- 
as er-7 trigger and the Layer-7 events, and transmits the 
content response to the mobile terminal 1 . 
[0081] Figs.22 to 24 show a fifth embodiment of the 
present Invention. Flg.22 shows a fifth example config- 
uration of a service control network according to the 
40 present Invention, Flg.23 shows an example of Its oper- 
ation sequence, and Flg.24 shows an example of a serv- 
ice profile, etc. 

[0082] In Fig.22, the edge device (E1 ) 2 connects with 
only one tightly edge-coupled service control device 

45 (SC1 ) 3-1 0. The mobile terminal (MT) 1 has subscribed 
to a Layer-3 service (called "dependent L3 service' 1 
hereinafter) and it Is determined whether a Layer-3 serv- 
ice (DtffServ) is applied or not according to the content 
of the Layer-7 information. 

so [0083] The operation of the fifth embodiment is de- 
scribed below with reference to Flg.23. 
(1 ) to (3) are Identical to (3) to (5) of the first embodiment 
except that the edge device 2 transmits an authentica- 
tion request message to only one tightly edge-coupled 

55 service control device 3-1 0 with which the edge device 
2 can connect through the network 7. 
(4) The authentication server device 4 receives the 
aforementioned authentication request message, and 
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then performs authentication processing for the mobile 
terminal 1 . When the authentication server device 4 has 
succeeded In the authentication, It specifies the service, 
to which the mobile terminal 1 has subscribed, in the 
same manner as In the first embodiment. In this embod- 
iment, the authentication server device 4 recognizes 
that dependent Layer-3 service can be controlled by the 
tightly edge-coupled service control device 3-1 0, and It 
Is necessary provide Its Layer-7 profile (P5-1) dynami- 
cally. 

[0084] As shown in Flg.24, the Layer-7 profile of the 
dependent Layer-3 service Includes the Independent 
Layer-3 profiles (P5-2 and P5-3) to control DiffServ, in 
this embodiment, as part of It The authentication server 
device 4 creates a dependent Layer-3 profile (P5-4) re- 
lated to the Layer-7 profile, and sets the Layer-7 profile 
(P5-1 ) In the authentication response message to trans- 
mit the response message to the tightly edge-coupled 
service control device 3-10. The configuration of the 
aforementioned dependent Layer-3 profile (P5-4) is 
identical to that in Flg.11. 

(5) The tightly edge-coupled service control device 3-1 0 
receives the authentication response message, and 
then recognizes that the Layer-7 profile (P5-1) Is set In 
the authentication response message, and caches it. 
The tightly edge-coupled service control device 3-10 
transmits the authentication response message Includ- 
ing only the remained dependent Layer-3 profile (P5-4) 
to the edge device 2. 

(6) The edge device 2 receives the authentication re- 
sponse message, and then caches the dependent Lay- 
er-3 profile (P5-4) to transmit the authentication re- 
sponse message, in which the profile is not included, to 
the mobile terminal 1 . 

(7) The mobile terminal 1 transmits a content request 
packet to the Web server device 6, and the edge device 
2 stores it for a while. In this embodiment, the packet is 
transmitted to the tightly edge-coupled service control 
device 3-1 0 because It matches the dependent Layer-3 
profile (P5-4). 

(8) The tightly edge-coupled service control device 3-10 
receives the packet, and then builds up Layer-7 Infor- 
mation to perform determination about a Layer-7 trigger 
In this embodiment, the tightly edge-coupled service 
control device 3-10 detects the Layer-7 trigger, and 
transmits the Independent Layer-3 profile (P5-2) of the 
Independent Layer-3 profiles (P5-2 and P5-3) Included 
in the previously obtained Layer-7 profile to the edge 
device (E1 ) 2 managing the mobile terminal 1 . 

(9) Likewise, the tightly edge-coupled service control 
device 3-1 0 also transmits an independent Layer-3 pro- 
file (SP5-3) created with reference to the Independent 
Layer-3 profile (P5-3) to the edge device (E2) 5 manag- 
ing the Web server 6 with which the mobile terminal 1 
communicates. At that time, the destination IP address 
is set to "Addr(SC1-1) M , and the destination TCP port 
number is set to w Port(SC1-1)", as the "conditions" of 
the Independent Layer-3 profile (SP5-3). 



(1 0) After that, the tightly edge-coupled service control 
device 3-1 0 transmits a content request packet to the 
Web server. When the packet Is relayed by the edge 
device 2, It matches the Layer-3 profile (P5-2) previously 

5 obtained by the edge device 2, and Its DSCP value Is 
set to "X". 

(11) The Web server device 6 transmits a content re- 
sponse corresponding to the received contents packet 
to the tightly edge-coupled service control device 3-10. 

10 (1 2) When the packet transmitted from the Web server 
device 6 to the tightly edge-coupled service control de- 
vice 3-1 0 is relayed by the edge device 5, it matches the 
Layer-3 profile (SP5-3) previously obtained by the edge 
device 5, and its DSCP value Is set to "X". As the DSCP 

is value B X B matches the DSCP value "X" set to the Inde- 
pendent Layer-3 profile (SP5-3) by the edge device <E2) 
5 in the procedure (1 0), It is Inherited by the packet trans- 
ferred from the tightly edge-coupled service control de- 
vice 3-10 to the edge device 2. 

20 f0O85] In each of the aforementioned embodiments, 
an edge device and a service control device are de- 
scribed as a physical device different from each other. 
But they may be provided In a physical device which re- 
alizes the functions of both of them. 

25 [0086] Below are described, assuming thatthe afore- 
mentioned embodiments of the present Invention are 
understood, detail control flows of functional sections of 
edge devices 2, service control devices 3, and authen- 
tication server devices 4 which totally realize the em- 

30 bodiments of the present invention. 

[0087] Figs.26 to 31 show control flows of functional 
sections of an edge device 2 according to the present 
invention. Regarding the aforementioned functional 
sections, refer to Fig.2. 

35 [0088] Flg.25 shows an example of the control flow of 
the authentication client section 25. 
[0089] The authentication client section 25 receives 
an authentication request message from the mobile ter- 
minal 1 , and then transmits a service control device se- 

40 lection request to the service control device managing 
section 24 (S1 002 and S1 003). 
[0090] As a result, the authentication client section 25 
receives an address necessary for communicating with 
the authentication server section 421 (Fig.3) of the au- 

4* thenticatlon server device 6 or the authentication proxy 
section 32 (Flg.3) of the tightly edge-coupled service 
control device, as a service control device selection re- 
sponse message from the sen/ice control device man- 
aging section 24 (S1004). After that, the authentication 

so client section 25 transmits an authentication request 
message to the received address, and receives an au- 
thentication response message responding to the re- 
quest message (S10O5 and S1006). 
[0091] Next, the authentication client section 25 de- 

55 tannines whether it has succeeded in the authentica- 
tion, and when it has succeeded in the authentication, 
It determines whether the authentication response mes- 
sage includes a Layer-3 profile (S1007 and S1009). 
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When the authentication response message Includes a 
Layer-3 profile, the authentication client section 25 
transmits a Layer-3 profile registration request to the 
Layer-3 profile managing section 21 , and then transmits 
a response message indicating the success of the au- 
thentication to the mobile terminal 1 after receiving a 
registration response (S1010to 1012). 
[0092] On the contrary, when the authentication re- 
sponse message does not Include a Layer-3 profile, the 
authentication client section 25 only transmits a re- 
sponse message Indicating the success of the authen- 
tication to the mobile terminal 1 (S1012). On the other 
hand, when the authentication client section 25 has not 
succeeded In the authentication, it transmits a response 
message Indicating the failure of the authentication to 
the mobile terminal 1 (SI 007 and S1 008). 
[0093] Flgs.26 to 29 show an example of the control 
flow of the service basic processing section 23. Fig. 26 
shows an example of the control flow in case of having 
received a packet. The service basic processing section 
23 receives a packet from the communication process- 
ing section 26, and then transmits a request to apply the 
Layer-3 service of the received packet to the L3 profile 
managing section 21 (S1102 and S1103). The service 
basic processing section 23 receives a response for ap- 
plying the Layer-3 service from the L3 profile managing 
section 21 , and then transmits a packet to the commu- 
nication processing section 26 (S1104 and S1105). 
[0094] Fig. 27 shows an example of the control flow in 
case of having received a Layer-3 profile request. The 
service basic processing section 23 receives a Layer-3 
profile request message from another edge device 5, 
and then transmits a Layer-3 profile request to the L3 
profile managing section 21 (S1202 and S1203). The 
service basic processing section 23 receives a Layer-3 
profile response responding to the Layer-3 profile re- 
quest from the L3 profile managing section 21 , and then 
transmits a Layer-3 profile response message to the 
service basic processing section 52 of the edge device 
5(S1204 and S1205). 

[0095] Flg.28 shows a control flow in case of having 
received a Layer-3 profile. The service basic processing 
section 23 receives a Layer-3 profile transmitted by the 
service basic processing section 52 of the edge device 
5, or the service basic processing section 333 (Flg.3) ol 
the tightly edge-coupled service control device or the 
loosely edge-coupled service control device 3, and then 
transmits a Layer-3 profile registration request to the L3 
profile managing section 21 (S1302 and S1303). The 
service basic processing section 23 receives a Layer-3 
profile registration response responding to the Layer-3 
profile registration request from the L3 profile managing 
section 21 , and then transmits a Layer-3 profile recep- 
tion message to the transmitter of the Layer-3 profile 
(S1 304 and S1305). 

[0096] Fig.29 shows an example of the control flow in 
the case of having received a service control device In- 
formation notice. The service basic processing section 



23 receives a service control device Information notice 
from the service basic processing section 333 (Flg.3) of 
the service control device 3, and then transmits a re- 
quest for registering the received service control device 

5 information to the service control device managing sec- 
tion 24 to receive a response Indicating the completion 
of the registration from the service control device man- 
aging section 24 (S1 402 to S1 404). After that, the serv- 
ice basic processing section 23 may transmit a service 

10 control Information notice reception message to a serv- 
ice control device 3 to notify it of the service control de- 
vice Information. 

[0097] Fig.30 shows an example of the control flow of 
the L3 profile managing section 21 . The L3 profile man- 

f* aging section 21 receives a Layer-3 profile application 
request from the Layer-3 service processing section 22, 
and then retrieves a Layer-3 profile matching the condi- 
tions of destination/source IP addresses and destina- 
tion/source port numbers set in the packet to which Lay- 

20 er-3 service Is applied (S1502 and S1503). 

[0098] When there Is a Layer-3 profile matching the 
aforementioned conditions, the L3 profile managing 
section 21 applies the content of the retrieved Layer-3 
profile to the packet (S1 504 to S1 506). On the contrary, 

25 when there is no Layer-3 profile match ing th e aforemen- 
tioned conditions, the L3 profile managing section 21 
does nothing, in any of the above cases, the L3 profile 
managing section 21 transmits a Layer-3 profile appll- 
catiorr response to the Layer-3 service processing see- 
so tion22. 

[0099] Figs.31 and 32 show a control flow of the serv- 
ice control device managing section 24. 
[0100] Fig.31 shows a control flow In case of having 
received a service control device selection request The 

35 service control device managing section 24 receives a 
service control device selection request from the au- 
thentication client section 25, and then determines 
whether there Is a tightly edge-coupled service control 
device 3 with which it can connect (S1 602 and S1 603). 

to When there Is no tightly edge-coupled service control 
device 3 with which it can connect, it transmits, an ad- 
dress for it to communicate with the authentication serv- 
er section 421 (Fig. 3) of the authentication server device 
4, to the authentication client section 25, as a service 

<5 control device selection response (S1 604). 

[0101] On the contrary, when there Is a tightly edge- 
coupled service control device 3 with which It can con- 
nect, It determines whether there Is only one tightly 
edge-coupled service control device 3 (S1605). in the 

50 case that there are a plurality of tightly edge-coupled 
service control devices 3, one of them Is selected. In 
case that there is only one tightly edge-coupled service 
control device 3, It is selected. After that, service control 
device managing section 24 transmits an address, for It 

55 to communicate with the authentication proxy section 32 
(Fig.3) of the tightly edge-coupled service control device 
3, to the authentication client section 25 (S1606 and 
S1607). 
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[0102] Fig. 32 shows a control flow in case of having 
received a service control device information registra- 
tion request. The service control device managing sec- 
tion 24 receives a service control device Information reg- 
istration request from the service basic processing sec- 
tion 333 (Flg.4) of the tightly edge-coupled service con- 
trol device 3, and then registers the service control de- 
vice Information to transmit a response message Indi- 
cating the completion of the registration of the service 
control device Information to the service basic process- 
ing section 333 (S1702 to S1704). 
[0103J Flgs.33 to 43 show control flows of functional 
sections of a service control device 3 according to the 
present Invention. Regarding the aforementioned func- 
tional sections, refer to Fig. 3. 
[0104] Flgs.33 and 34 show a control flow of the au- 
thentication proxy section 32. The authentication proxy 
section 32 receives an authentication request message 
from the authentication client section 25 (Fig.2) of the 
edge device 2, andthen transmits ittothe authentication 
server section 421 of the authentication server device 4 
to receive an authentication response message, re- 
sponding to It, from the authentication server section 
421 (S2002 to S2004). 

[0105] Next, the authentication proxy section 32 de- 
termines whether It has succeeded the authentication. 
In case of failure, it transmits a response message Indi- 
cating the failure of the authentication to the authentica- 
tion client section 25 of the edge device 2 (S2005 and 
S2013). On the other hand, In the case of success, it 
determines whether the authentication response mes- 
sage Includes a Layer-7 profile and an associated de- 
pendent Layer-3 profile (S2005 and S2006). When a 
Layer-7 profile is set in the message, it transmits, for the 
purpose of caching the Layer-7 profile, a Layer-7 profile 
registration request to the profile managing section 31 
to receive a registration response responding to the re- 
quest (S2007 and S2008). 

[0106] The authentication proxy section 32 also de- 
termines whether an Independent Layer-3 profile is reg- 
istered. In the case that an Independent Layer-3 profile 
Is not registered, It transmits a response message Indi- 
cating the success of the authentication as it is to the 
authentication client section 25 of the edge device 2 
(S2009 and S2012). On the contrary, when an Inde- 
pendent Layer-3 profile is registered, It transmits an in- 
dependent Layer-3 profile registration request to the 
profile managing section 31 to receive a registration re- 
sponse responding to the request from the profile man- 
aging section 31, and then transmits a response mes- 
sage indicating the success of the authentication to the 
authentication client section 25 of the edge device 2 
(S2009 and S2012). 

[0107] Figs. 35 to 38 show a control flow of the service 
basic processing section 333. Figs.35 and 36 show a 
control flow of the service basic processing section 333 
in case of having received a packet. This control flow Is 
common to a tightly edge-coupled service control device 



and a loosely edge-coupled service control device. 
[0108] The service basic processing section 333 re- 
ceives a packet from the communication processing 
section 34, and then builds up Layer-7 information from 

s the received packet (S2102 and S21 03). Furthermore, 
when the destination address of the packet is that of the 
service control device 3, the service basic processing 
section 333 obtains information about a communication 
partner device (Web server device 6 In case of this em- 

10 bodlment) to which the mobile terminal 1 wants to com- 
municate, from the built up Layer-7 Information, and ob- 
tains the address of the communication partner device 
by using the obtained information and a function of DNS 
(Domain Name System), or the like, not shown In the 

*3 figures. 

[01 09] Next, the service basic processing section 333 
determines whether Layer-3 service Is applied to the re- 
ceived packet (S2104). In case that Layer-3 service Is 
applied, it notifies the service Information obtained after 

20 the determination to the service switching section 332 
with the Layer-7 Infdimatlon (S2106 and S2107). On the 
contrary, when Layer-3 service is not applied, it passes 
the Layer-7 Information, In which Layer-3 service is set 
to "NULL (no applied service)", to the switching section 

25 332(S2105andS2106). 

[0110] The service basic processing section 333 re- 
ceives a Layer-7 Information transmission request and, 
then at first, assigns an IP address and port number, 
which- are used for the transmission of the Layer-7 In- 

30 formation and have not been assigned In the service 
control device 3, for the information transmission, and 
determines whether it is necessary to apply a Layer-3 
service (S2107 and S2109). When Layer-3 service Is 
not applied (In case of NULL), the service basic process- 
as ing section 333 creates a packet to which Layer-3 serv- 
ice is not applied and transmits a packet transmission 
request to the communication processing section 34 
(S2115 and S2116). On the other hand, when Layer-3 
service is applied, the service basic processing section 

40 333 requests the profile managing section 31 to send 
an independent Layer-3 profile corresponding to the 
Layer-3 service, and then receives an Independent Lay- 
er-3 profile response from the profile managing section 
31 . In this case, the service basic processing section 

45 333 sets the previously obtained IP address and port 
number In the condition of the Independent Layer-3 pro- 
file, and then transmits Its Independent Layer-3 profile 
to the service basic processing section 23 (Fig. 2) of the 
edge device 2 (S2112 and S2113). 

so [0111] Furthermore, when the service control device 
3 transmits the Independent Layer-3 profile like the sec- 
ond embodiment, it selects the iP address of the edge 
device 5 from the IP address of the communication part- 
ner , and then transmits an Independent Layer-3 profile 

55 tothelPaddress(S2112ands2113). 

[0112] The service basic processing section 333 re- 
ceives an Independent Layer-3 profile reception notice 
responding to the Independent Layer-3 profile transmls- 
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slon, and then creates a packet from Layer-7 informa- 
tion according to whether Layer-3 service Is applied or 
not, and transmits a packet transmission request to the 
communication processing section 34 (S2115 and 
S2116). 

[01 1 3] Rg.37 shows acontrol flow of the service basic 
processing section 333 In case of notifying the number 
of Layer-7 profiles and the number of users registered 
In the Layer-7 profiles. The service basic processing 
section 333 requests Information about the number of 
Layer-7 profiles and number of the users to the profile 
managing section 31, and obtains the Information 
(S2202 and S2203). The Information obtained by the 
service basic processing section 333 of the tightly edge- 
coupled service control device 3 Is notified to the service 
basic processing section 23 (Flg.2) of the edge device 
2 which is connected with the tightly edge-coupled serv- 
ice control device 3, and the Information obtained by the 
service basic processing section 333 of the loosely 
edge-coupled service control device 3 is notified to the 
service control device managing section 424 of the au- 
thentication server device 4 (S2204). 
[01 14J Flg.38 shows acontrol flow of the service basic 
processing section 333 in case of notifying load infor- 
mation. This control flow corresponds to the flow of no- 
tifying load state In the first embodiment The service 
basic processing section 333 measures the processing 
load of the service control device 3 of Its own (S2302). 
The load information measured by the service basic 
processing section 333 of the tightly edge-coupled serv- 
ice control device 3 is notified to the service basic 
processing section 23 (Flg.2) of the edge device 2 which 
is connected with the tightly edge<oupled service con- 
trol device 3, and the load Information measured by the 
service basic processing section 333 of the loosely 
edge-coupled service control device 3 Is notified to the 
sen/ice control device managing section 424 of the au- 
thentication server device 4 (S2303). 
[01151 Each of the operations shown In Flgs.37 and 
38 Is common to a tightly edge-coupled service control 
device and a loosely edge-coupled service control de- 
vice. The operations may be executed periodically and 
information (number) obtained may be notified at every 
execution, or the information may be notified only when 
the latest number is larger than the previous number by 
a certain quantity or ratio. 

[01 161 Flg8.39 and 40 show a control flow of the serv- 
ice switching section 332. This operation Is common to 
a tightly edge-coupled service control device and a 
loosely edge-coupled service control device. The serv- 
ice switching section 332 receives Layer-7 Information 
notice from the service basic processing section 333, 
and then analyzes a Layer-7 trigger and/or a Layer-3 
event, and determines whether the service switching 
section 332 has detected a Layer-7 trigger and/or a Lay- 
er-3 event (S2402 to 2404). 

[0117] When the service switching section 332 has 
not detected a Layer-7 trigger and/or a Layer-7 event, 



It transmits Layer-7 Information transmission request to 
the service basic processing section 333 (S2404 and 
S2411). On the contrary, when the service switching 
section 332 has detected a Layer-7 trigger and/or a Lay- 

5 er-7 event, It performs the following processing about 
all of the detected Layer-7 triggers and Layer-7 events, 
and after it has completed the processing, it transmits a 
Layer-7 Information transmission request to the service 
basic processing section 333 (52405). 

10 [0118] The service switching section 332 determines 
whether it should stop the processing until it receives a 
control command from the service control section 331 
after notifying a Layer-7 trigger or a Layer-7 event to the 
service control section 331 (S2406). When it Is neces- 

15 sary to stop the processing for a while, the service 
switching section 332 notifies a Layer-7 trigger or a Lay- 
er-7 event to the service control section 331 , and is in a 
standby state until receiving a service control request 
from the service control section 331 (s2407). 

20 [0119] After that, the service switching section 332 re- 
ceives a corresponding service control request from the 
service control section 331 , and then performs neces- 
sary processing In accordance with the request. When 
a Layer-7 event to be notified to the service control sec- 

25 tion 331 is designated, the service switching section 332 
stores the Layer-7 event (S2408 and S2409). 
[01 20] When It Is not necessary to stopthe processing 
for a while, the service switching section 332 notifies a 
Layer-7 trigger or a Layer-7 event to the service control 

30 section 331 , and determines if there are the other Layer- 
7 triggers and/or Layer-7 events to be detected (S2405) . 
In any of the above both cases, the service switching 
section 332 determines whether a service control sec- 
tion 331 to which a Layer-7 trigger or Layer-7 event Is 

35 notified Is the service control section 331 of the service 
control device (tightly edge-coupled service control de- 
vice or loosely edge-coupled service control device) in 
which the service switching section 332 Is provided, or 
the service control section 331 of another service control 

40 device (function-dependent service control device), and 
then notifies the Layer-7 trigger or Layer-7 event to the 
selected service control section 331 . 
[01 21] Figs. 41 and 42 show a control flow of the serv- 
ice control section 331 . This operation is common to a 

4* tightly edge-coupled service control device and a loose- 
ly edge-coupled service control device. The service con- 
trol section 331 receives a Layer-7 trigger notice from 
the service switching section 332 of the service control 
device in which the service control section 331 is pro- 

50 vided, or the service switching section 332 of another 
service control device, and then starts service for 
processing the Layer-7 trigger (S2502 and S2503). 
[0122] The service control section 331 transmits a 
Layer-7 profile request to the profile managing section 

55 31 to receive a response responding to the request, and 
then performs processing corresponding to the service 
while referring to the received Layer-7 profile (S2504 to 
S2506). Next, the service control section 331 deter- 
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mines whether It transmits a service control request to 
the service switching section 332. In the casethat It does 
not transmit a service control request, It stops the 
processing (S2507 and S2512). 
[0123] On the contrary, In the case that it transmits a 
service control request, it transmits one or more service 
control requests to the service switching section 332 
(S2508). In the case that It has transmitted a Layer-7 
event notice request as a service control request to the 
service switching section 332, It receives a Layer-7 
event notice from the service switching section 332 and 
performs processing corresponding to the service 
(S2509 to S2511). On the other hand, in the case that it 
has transmitted no Layer-7 event notice request, It stops 
the processing (S2509 and S2512). 
[0124] Fig. 43 shows a control flow of the service Im- 
plementing section 334. This control flow is Identical 
with that of the service Implementing section 82 of the 
service implementing server device 8 independent from 
others. The service Implementing section 334 receives 
a service Implementation request from the service basic 
processing section 333 and Implements the requested 
service, and then transmits the result of the Implemen- 
tation to the service basic processing section 333 by a 
service implementation response (S2602 to S2604). 
[0125] Flgs.44 to 52 show a control flows of the func- 
tional sections of an authentication server device 4 ac- 
cording to the present Invention. Regarding the function- 
al' sections, refer to Flg.3. 

[0126] Flgs.44 and 45 show a control flow of the au- 
thentication server section 421. The authentication 
server section 421 receives an authentication request 
message from the authentication proxy section 32 of the 
tightly edge-coupled service control device 3, or the au- 
thentication client section 25 (Flg.2) of the edge device 
2, and then performs the authentication processing 
(S3002 and S3003). 

[0127] Next,theauthenticatlonserversectlon421 de- 
termines whether the authentication has succeeded or 
not. In the case that the authentication has failed, it 
transmits a response message Indicating the failure of 
the authentication to the source of the authentication re- 
quest (S3005). In case that the authentication has suc- 
ceeded, it transmits a profile transfer request to the pro- 
file transferring section 423 to receive a profile transfer 
response responding to the request (53006 and 
S3007). In this case, it determines whether the received 
response includes a Layer-3 profile and/or a Layer-7 
profile. 

[0128] In the case that the received response includes 
a Layer-3 profile and/or Layer-7 profile, It creates an au- 
thentication response Including the Layer-3 profile and/ 
or Layer-7 profile, and In the case that the received re- 
sponse does not Include a Layer-3 profile and Layer-7 
profile, it creates an authentication response not includ- 
ing a Layer-3 profile or a Layer-7 profile. After that, the 
authentication server section 421 transmits a response 
message of authentication success Including the au- 



thentication response to the source of the authentication 
request (S3009 to S3011). 

[01 29] Flgs.46 to 51 show a control flow of the profile 
transferring section 423. In Flgs.46 and 47, the profile 
5 transferring section 423 receives a profile transfer re- 
quest from the authentication server section 421, and 
then transmits an inquiry about Layer-7 service to which 
a user to be authenticated has subscribed to the profile 
managing section 422, and receives an response re- 
sponding to the request (S3102 to S3104). The profile 
transferring section 423 determines whether there is a 
Layer-7 service to which the user has subscribed, based 
on the response (S31 05). In case thatthere is no Layer- 
7 service to which the user has subscribed, the profile 
transferring section 423 transmits an Independent Lay- 
er-3 profile request to the profile managing section 422 
to receive an Independent Layer-3 profile response 
(S3118 and S3119). At that time, when there is a Layer- 
7 profile which has been stored or created and its de- 
pendent Layer-3 profile and Independent Layer-3 pro- 
file, the profile transferring section 423 transmits a pro- 
file transfer response, Including them, to the authentica- 
tion server section 421 (S3120). 
[0130] On the other hand, when there Is a Layer-7 
service to which the user has subscribed, the profile 
transferring section 423 performs the following proce- 
dure regarding all of the Layer-7 services to which the 
user has subscribed (S3 106). After performing the pro- 
cedure, It transmits a profile transfer response to the au- 
thentication server section 421 by the same processing 
as that performed in the case that there is no Layer-7 
service to which the user has subscribed (S3118 to 
S3120). 

[0131] At first, the profile transferring section 423 
transmits an Inquiry of a service providing pattern to the 
service managing section 422 to receive Its response 
(S31 07 and S31 08). The profile transferring section 423 
determines that the service control device Indicated by 
the response Is either the tightly edge-coupled service 
control device 3-1 , the loosely edge-coupled service 
control device 3-2 or the function-dependent service 
control device 3-3 (S31 09). 

[0132] In the case of the tightly edge-coupled service 
control device 3-1 , the profile transferring section 423 
transmits the request for the Layei-7 profile of an au- 
thenticated user concerned to the profile managing sec- 
tion 422 to receive Its response (S31 1 0 and S311 1 ). Fur- 
thermore, the profile transferring section 423 transmits 
an inquiry about the reception address of Layer-7 serv- 
ice concerned of the tightly edge-coupled service con- 
trol device 3-1 providing Layer-7 service concerned to 
the service managing section 422 to receive Its re- 
sponse (S31 12 and S3113). 
[0133] Furthermore, the profile transferring section 
423 transmits a dependent Layer-3 profile request to the 
profile managing section 422 in order to obtain the de- 
pendent Layer-3 profile of Layer-7 service concerned to 
receive Its response (S3114 and S3115). Next, It sets 
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the packet transfer destination of the obtained depend- 
ent Layer-3 profile to the aforementioned Layer-7 serv- 
ice reception address of the tightly edge-coupled serv- 
ice control device 3-1 , and then stores the obtained or 
created Layer-7 prof He and Its dependent Layer-3 profile 5 
(S3116andS3117). 

[01 34] In the case of the loosely edge-coupled service 
control device 3-2, the profile transferring section 423 
transmits a request of selecting the loosely edge-cou- 
pled service control device 3-2to the service control de- w 
vice managing section 424 to receive its response as 
shown In Flgs.49 and 50 (S3122 and S3123). Further, 
it transmits an inquiry of the reception address of Layer- 
7 service concerned of the service control device for the 
Layer-7 service concerned to the service managing sec- 
tlon 422 to receive Its response (S3124 and S31 25). 
[0135] Furthermore, It transmits a dependent Layer-3 
profile request to the profile managing section 422 to 
receive Its response in order to obtain the dependent 
Layer-3 profile of Layer-7 service concerned (S3126 20 
and S3127). Next, It sets the packet transfer destination 
of the obtained dependent Layer-3 profile to the afore- 
mentioned Layer-7 service reception address of the 
loosely edge-coupled service control device 3-2 
(S312B). 25 
[01 36] Next, the profile transferring section 423 trans- 
mits an Inquiry for the Layer-7 profile providing pattern 
for a Layer-7 service concerned to the service managing 
section 422 to receive its response (S3129 and S31 30). 
The profile transferring section 423 determines whether 30 
the Layer-7 profile is provided dynamically or not. In the 
case that the Layer-7 profile is provided statically, it 
stores the obtained or created dependent Layer-3 pro- 
file (53131 and S3138). On the other hand, In the case 
that the Layer-7 profile is provided dynamically, It trans- 35 
mlt8 a request for the Layer-7 profile of an authenticated 
user concerned to the profile managing section 422 to 
receive Its response (S3131 to &3133). 
[0137] Furthermore, the profile transferring section 
423 transmits a request of the IP address of the loosely *o 
edge-coupled service control device 3-2 to which the 
Layer-7 profile Is transferred, to the service managing 
section 422 to receive its response (S3134 and S3135). 
The IP address is used for the profile transferring section 
423 to communicate with the authentication server com- 43 
munlcatlon section 37 of the loosely edge-coupled serv- 
ice control device 3-2. Using this address, the profile 
transferring section 423 transfers the Layer-3 profile and 
Layer-7 profile to the authentication server communica- 
tion section 37 of the loosely edge-coupled service con- so 
trot device 3-2 to receive Its transfer response (S3136 
and S3 137). The profile transferring section 423 stores 
the obtained or created dependent Layer-3 profile 
(S3138). 

[0138] In the case of the function-dependent service 55 
control device 3-3, the profile transferring section 423, 
as shown In Flg.51 , transmits a request of selecting the 
tightly edge-coupled service control device 3-1 or the 
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loosely edge-coupled service control device 3-2, either 
of which Is capable of connecting with the function-de- 
pendent service control device, to receive Its selection 
response (S31 39 and S3140). Next, the profile transfer- 
ring section 423 transmits an Inquiry of the reception ad- 
dress of Layer-7 service of the selected service control 
device to the service managing section 422 to receive 
its response (S3141 and S3142). 
[0139] Further, the profile transferring section 423 
transmits a dependent Layer-3 profile requestto the pro- 
file managing section 422 to receive Its response in or- 
der to obtain the dependent Layer-3 profile of Layer-7 
service concerned (S3143 and S3144). The profile 
transferring section 423 sets the packet transfer desti- 
nation of the dependent. Layer-3 profile to the Layer-7 
service reception address of the selected service control 
device (S3145). Furthermore, the profile transferring 
section 423 stores the obtained or created dependent 
Layer-3 profile (S3146). 

[0140] Fig. 52 shows a control flow of the service man- 
aging section 422. The service managing section 422 
receives the inquiry of a service providing pattern from 
the profile transferring section 423, and then retrieves a 
service providing pattern for the service corresponding 
to the inquiry and transmits the retrieved service provid- 
ing pattern to the profile transferring section 423 (S3202 
to S3204). Likewise, the service managing section 422 
receives the Inquiry of the reception address of Layer-7 
service of a service control device 3, and then transmits 
the Layer-7 service reception address of the service 
control device to be applied to the profile transferring 
section 423(S3205 to S3207). It receives the inquiry of 
the service providing pattern of the Layer-7 profile, and 
then transmits the service providing pattern of the Layer- 
7 profile to be applied to the profile transferring section 
423 (S3208 to S3210). 

[0141] As described above, the present invention pro- 
vides a service control network capable of providing 
Layer-7 service in addition to conventional Layer-3 serv- 
ice. The service control network allows a mobile user to 
obtain Layer-7 service through a network to which the 
user has moved, as though through the home network 
of the user, without considering the network utilized by 
the user. Furthermore, the service control network may 
perform various flexible and efficient content process- 
ings under the Layer-7 service environment and allows 
service providers to enter Into a Layer-7 service market 
easily. 



Claims 

1 . A service control network comprising: 

an authentication server device for performing 
user authentication; 

an edge device for performing Layer-3 service 
processing for a mobile terminal managed by 
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said edge device; and 
a service control device for performing Layer-7 
service control for the mobile terminal, 

wherein said authentication server device 
comprises a means for specifying a Layer-7 profile 
and an associated Layer-3 profile of the mobile ter- 
minal at the success of the authentication of the mo- 
bile terminal, 

the edge device comprising a means for 
transferring packets, which have been received 
from the mobile terminal after the success of the au- 
thentication of the mobile terminal and match said 
Layer-3 profile, to said service control device, 

the service control device comprising a 
means for controlling the Implementation of a Lay- 
er-7 service concerned for packets which have 
been received from said edge device and match 
said Layer-7 profile. 

2. The service control network of claim 1 , wherein said 
service control device Is a tightly edge-coupled 
service control device which has a logical connec- 
tion relation with a particular edge device and con- 
trols the implementation of a Layer-7 service con- 
cerned for a mobile terminal managed by said edge 
device In conjunction with said edge device. 

3. The service control network of claim 2, wherein said 
tightly edge-coupled service control device com- 
prises an authentication proxy means relaying a 
control signal for authentication between said edge 
device and said authentication server device. 

4. The service control network of dalm 2 or 3, wherein 
said tightly edge-coupled service control device fur- 
ther comprises a means for notifying the load infor- 
mation of said tightly edge-coupled service control 
device to said particular edge device In a certain cy- 
cle, and 

said edge device further comprises a means 
for selecting an tightly edge-coupled service control 
device for performing service control based on said 
load information. 

5. The service control network of claim 2, 3 or 4, further 
comprising a function-dependent service control 
device for controlling, in conjunction with said tightly 
edge-coupled service control device, the imple- 
mentation of a Layer-7 service for mobile terminals 
managed by an edge device which has a logical 
connection relation with the service control device. 

6. The service control network of any of claims 1 to 5, 
wherein said service control device is a loosely 
edge-coupled service control device which is al- 
lowed to have a logical connection relation with an 
optional edge device and controls the Implementa- 
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tlon of a Layer-7 service for mobile terminals man- 
aged by said edge device in conjunction with said 
edge device. 

5 7. The service control network of claim 6, further com- 
prising a function-dependent service control device 
for controlling, in conjunction with said loosely 
edge-coupled service control device, the Imple- 
mentation of a Layer-7 service for mobile terminals 

10 managed by an edge device which has a logical 
connection relation with the service control device. 

8. The service control network of any of claims 1 to 7, 
further comprising a Layer-7 service managing 

15 means for managing a Layer-7 profile of each mo- 
bile terminal. 

9. The service control network of claim 8, wherein said 
Layer-7 profile includes a Layer-3 profile corre- 

20 spondlng to a Layer-7 service concerned, and said 
edge device performs Layer-3 service processing 
based on said Layer-3 profile. 

10. A control method of a service control network com- 
25 prising an authentication server device for perform- 
ing user authentication, an edge device for perform- 
ing Layer-3 service processing for a mobile terminal 
managed by said edge device, and a service control 
device for performing Layer-7 service control forthe 

30 mobile terminal, wherein: - 

the mobile terminal transmits an authentication 
request message to said edge device; 
said edge device transmits said authentication 
3s request message to said service control device; 

said service control device transmits the au- 
thentication request message concerned to 
said authentication server device; 
said authentication server device transmits an 
^0 authentication response message together 

with a dependent Layer-3 profile and an inde- 
pendent Layer-3 profile related to a Layer-7 
profile concerned at the success of the authen- 
tication of the mobile terminal; 
^5 said service control device caches a Layer-7 

profile of said authentication response mes- 
sage and an independent Layer-3 profile of an- 
other edge device which will be a communica- 
tion partner of said service control device; 
so said edge device caches an independent Lay- 

er-3 profile and/or a dependent Layer-3 profile 
of said edge device of said authentication re- 
sponse message; 

said edge device performs Layer-3 service 
55 processing for packets which have been re- 

ceived from the mobile terminal and match the 
Independent Layer-3 profile, and transfers 
packets, which have been received from the 
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mobile terminal and match the dependent Lay- 
er-3 profile, to said service control device; and 
said service control device transfers the Inde- 
pendent Layer-3 profile to said another edge 
device, and controls the Implementation of a 5 
Layer-7 service concerned for packets which 
have been received from said edge device and 
match the Layer-7 profile. 

1 1 . The control method of claim 1 0, wherein: to 

said service network control device further 
comprises a service implementing server de- 
vice; and 

said service control device requests said serv- 15 
Ice Implementing server device to perform Lay- 
er-7 service processing of packets matching 
the Layer-7 profile. 
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